Cornell teams join NSF campaign for cybersecurity

Cornell, already a major player in computer security research, will make a large contribution to a new cybersecurity push by the National Science Foundation (NSF).

Six Cornell researchers will receive grants totaling more than $3 million as part of the NSF Secure and Trustworthy Cyberspace (SaTC) program.

“It’s not surprising, given the strength of our faculty in this area,” said Greg Morrisett, dean of Computing and Information Science, “and we have maintained that with strong new hires.”

As financial risks grow, “Government and business are giving new attention to cybersecurity,” he noted. And with the growth of the “Internet of Things,” he added, there may be risks to life and property through improper remote access to physical devices. Business will gain from being able to promise that their hardware and software is secure, he said.

Cornell research, he said, has focused largely on building systems that are inherently secure, rather than patching vulnerabilities when they crop up. For example, Fred Schneider, the Samuel B. Eckert Professor of Computer Science, proposes computer programming languages that require the programmer to write secure code.

Morrisett and Schneider have been members of security advisory boards for both Intel and Microsoft. Schneider is chief scientist for the NSF Science and Technology Center TRUST (Team for Research in Ubiquitous Secure Technologies). “Trustworthy computing,” Schneider points out, means that a system must do its work correctly, as well as being safe from outside attacks.

“NSF-supported cybersecurity research builds the foundational and multidisciplinary knowledge bases needed to protect us in cyberspace – an environment that has expanded beyond computers to encompass many aspects of our physical world and critical infrastructure,” said Jim Kurose, NSF assistant director for computer and information science and engineering, in announcing the program. SaTC investments include 257 new projects to researchers in 37 states, totaling $74.5 million.

The new Cornell projects:

Deborah Estrin, professor of computer science at Cornell Tech, will look for ways to inject “privacy by design” into the development of applications that process small amounts of personal data. Estrin’s lab is developing applications that use data collected by mobile devices to monitor mental and physical health and increase productivity. She will map how data about such activities as emailing, grocery shopping, TV watching and transportation flow through the application, to control where they go and in what form. Estrin will collaborate on the project with New York University philosopher Helen Nissenbaum.

Thomas Ristenpart, associate professor of computer science at Cornell Tech, will try to make cloud computing less dangerous. “Infrastructure as a service” allows a user to, in effect, rent time on a large, powerful computer in the cloud. But a user may share processors and memory with other users who could, accidentally or on purpose, look at the data as they pass by. Ristenpart will develop scheduling algorithms that keep one user’s work from overlapping another’s and eliminate pricing schemes that give users an incentive to intrude on someone else’s CPU time. Ristenpart’s grant falls under the NSF CAREER program designed to support young researchers.

Ari Juels, a computer science professor at the Jacobs Technion-Cornell Institute at Cornell Tech, will develop new encryption methods, focusing on encryption of passwords and other user authentication. The project develops a new framework, called Distribution-Sensitive Cryptography, which takes into account the fact that the statistical distribution of words in text might offer clues to break the encryption. Juels has been an advocate of foiling attackers by filling storage with fake data.

Emin Gun Sirer, associate professor of computer science, will try to build a sound new base for “cryptocurrency” – online financial systems like Bitcoin. Current systems, Sirer says, are insecure, and the underlying structure offers no way to achieve security. He proposes to create a new foundation blending cryptography, game theory, programming languages and systems security techniques on which to build a new, secure digital currency system and a system for smart contracts. He will bring together technologists, economists, social scientists and policymakers to shape the future of digital currencies.

Ed Suh, associate professor of electrical and computer engineering, and Andrew Myers, professor of computer science, will combine their expertise in hardware and software, respectively, to create a system in which both work together to create security, using software to track information flow through hardware. As part of the project they will design a new high-performance microprocessor with verified-secure information flow. Their work could have a significant impact on how computing systems are designed and could make the next generation of computing devices and platforms inherently more secure, they said.

Other ongoing Cornell research in cybersecurity:

Greg Morrisett, dean of the Computing and Information Science, works to develop compilers (programs that translate a programmer’s instructions into machine code that can be executed on a computer) that will enforce security. He focuses on ensuring the safety of “mobile code” that is downloaded from an outside source to run on a local computer or mobile device.

Andrew Myers, professor of computer science, focuses on distributed systems, where data is processed and stored in several locations, to ensure that the flow of information between those locations is secure. He has developed a language to design hardware that is inherently secure. Myers is co-editor-in-chief of the Journal of Computer Security.

Rafael Pass, associate professor of computer science, adds encrypted signatures to messages to thwart “man in the middle” intrusions, where an intruder intercepts messages between two parties – making them think they are communicating directly with each other – and can read or change the messages as they pass by.

Elaine Runting Shi, associate professor of computer science, has won a 2015 Packard Fellowship in Science and Engineering for her work that blends cryptography, programming languages, and secure hardware and software systems. She designs new programming paradigms that enable nonspecialist developers to easily program cryptography to ensure that sensitive data is kept private.

Emin Gün Sirer, associate professor of computer science, builds computer and network operating systems that ensure “trusted computing” by guaranteeing that a program actually does what it claims to do. He recently pointed out vulnerabilities in the Bitcoin online currency system.